The problem
In the past I did several risk assessments for different type of companies, including some that could be considered as critical infrastructures. For this reason I’ve spent some time reviewing different approaches to perform risk assessments in this kind of infrastructures and I found most of them maintain the classical approach of identify threat and vulnerabilities to estimate the likelihood, using the product of likelihood and impact to get the risk.
I think it’s the right approach for the Known risks, I mean the risks that we can easily think about. However, these approaches have a big weakness since if you can’t imagine a possible treat source or you don’t consider a given vulnerability you won’t take into consideration some important risks.
The cause
And this is because when we analyze the risks of Critical infrastructures, and it could happen in other organizations as well, we should consider some risks that may have an enormous impact but it’s really difficult to think about it since it haven’t happened never before.
Yes, we are talking about the risks defined by the Black Swan Theory, so these risks that are so hard to predict because they are beyond the realm of normal expectations.
Some well-known real examples could be the terrorist attacks of 11/09 in NY or the 11/03 in Madrid, but we can find also some nice technologic examples such the ‘Equation Group’. Who could imagine such kind of advanced malware in our hard disks firmware? I never consider this kind of risks when I did risk assessments because I couldn’t anticipate it, but it’s something that was happening during years!
So it’s clear that if you want to have a heuristic approach to risk assessment, and I really think we must have this kind of approach if we talk of critical infrastructures, we can’t use only the classic risk assessment methodologies because it’s impossible to consider all the possible threats or all the possible risk scenarios. Doesn’t matter how experts we are. Even if you could use all the experts in the world and you get all the time and budget to do your risk assessment you will ever forget some risks because the possible risks are nearly infinite.
The solution (or at least my proposal)
My proposal to solve this problem is to complement any of the classical methodologies (the one that you prefer) with a holistic approach. As we said, the problem is that we can’t imagine all the threats and we can’t define their likelihood so let’s stop to loss time trying to get it. I propose to forget these vectors and perform our risk assessments only based in the impact. Let’s forget about threats and vulnerabilities since we can’t identify all of it and we can’t quantify their probability.
Examples and conclusion
Let’s illustrate the idea with some examples.
Example 1: In a classical risk assessment you will think about how your competitors could try to enter in your network to get your strategic and confidential information. This exercise of ‘think as your enemies’ could be really useful to detect the ‘known risks’ and prepare controls and countermeasures and prioritize their implementation according to the cost-benefit analysis.
But you can go beyond this and on top of this classic approach assume that your network has been already powned and your confidential information has been stolen by your competitors. Don’t waste time thinking how, you already did it in your classical approach. Doesn’t matter how, the fact is that it already happen. So the risk is that your confidential information is in your competitor’s hands and then my proposal is to focus in countermeasures and controls to mitigate the impact. In this example, some controls could be strong encryption, honey-documentation (fake documentation to introduce noise..), etc..
Example 2: Other example can be a nuclear plant. They can use the traditional risk assessment approach to prevent and mitigate the known risks, but for sure, they must establish controls to prevent their industrial system being exploited by a threat that wasn’t taken into consideration in their risk assessment. They need to establish controls to prevent security incidents if their controls to segment their IT network and their industrial network are compromised.
They must consider any unexpected unknown risks and the only way that I can see to do that is to be totally focus in the possible impacts avoiding considering the classic threat-vulnerability approach for that unknown risks.
For sure you will find a lot of additional examples where this ‘impact only’ approach could be useful to complement the traditional risk assessment and try to manage these black-swans in your organization.
I really hope you enjoy this post and I’ll be interested in heard your feedback and thoughts about it.